Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LM-Rafael
Collaborator
Jump to solution

CheckPoint Quantum 1600 Cluster stronger authentication required

Hi,

i have a quantum 1600 device which i need to authenticate against the new Windows Server 2025 AD Server. But i can only enter an IP Address and so is not possible to successfully connect my appliance with the LDAPS Windows Server. I get the error "Stronger authentication required". But i can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server.

What can i do to solve this issue?

Thanks for Help

Rafael

 

 

 

0 Kudos
1 Solution

Accepted Solutions
itayravenna
Employee
Employee

@G_W_Albrecht @LM-Rafael @Tom_Hinoue 

Hi Guys,

 

Quick summary of the issue:
Starting with Windows Server 2025, Microsoft enforces LDAP signing and channel binding by default.
While earlier Windows Server versions allowed unsecured LDAP (simple bind without signing), Windows Server 2025 requires secure LDAP over SSL/TLS (LDAPS).

Since Quantum Spark appliances previously attempted LDAP communication without SSL, authentication failed due to missing certificate validation and channel binding enforcement.

We have now released a new Jumbo Hotfix (HFX) that adds support for LDAPS communication with Windows Server 2025.
This fix will also be included in our upcoming official release R82.x.

In the meantime, here are the Jumbo HFX download links:

After installation, run in clish:

set user-awareness ldaps true

On the Windows Server 2025 side, make sure a CA certificate is installed via Active Directory Certificate Services (AD CS).

Thank you all for your patience.

I’ll do my best to go back over the service requests from the past six months to make sure this fix reaches everyone who needs it.





View solution in original post

44 Replies
PhoneBoy
Admin
Admin

By what evidence do you conclude "I can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server"?

According to a TAC case with a similar error, we only supports LDAP simple binds and you need to disable LDAP server signing.
See: https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/enable-ldap-signing-in-window...

0 Kudos
LM-Rafael
Collaborator

Hi PhoneBoy,

On the Windows Server 2022 Test AD Server, everything is running fine, and I can connect my firewall using LDAP. However, with the 2025 Datacenter AD Server, it is not possible, and I get the following error (see picture_1) when I click "Discover."

I have disabled the forced LDAPS requirement, but this did not resolve the issue. The output from LDP.exe confirms that access on port 389 without SSL is possible.

Where am I making a mistake?

Thanks and best regards,
Rafael

0 Kudos
PhoneBoy
Admin
Admin

Have you disabled LDAP Server Signing as mentioned in the article I liked?

0 Kudos
LM-Rafael
Collaborator

Hi PhoneBoy,

no i have only problems when i disable ldap server signing.

With Server 2022 everything running fine (a separate dev environment).

Have you an other article for disable server signing?

Thanks

Rafael

0 Kudos
LM-Rafael
Collaborator

Hi PhoneBoy,

i have try to enable simple bind but i think it is not possible on Windows Server 2025. I have try 3 different How To’s unsuccessfully. ldp.exe write me -> This server needs stronger Authentication.

What can i do now?

Thanks

Rafael

0 Kudos
Chris_Atkinson
Employee Employee
Employee

If you're already using R81.10.15 and this isn't working please report the issue to TAC for investigation.

Pending their feedback & consultation with R&D it may require an RFE 

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Maybe this can be resolved by disabling LDAP Server Signing, but our customer does not want to do that ! So we have opened a SR# for him...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

TAC responded:

As a first step, it's recommended to perform a firmware version upgrade on the device to a newer version, R81.10.17 you can download the firmware image from the following download link:
R81.10.17 Download link for 1530.

Please let me know if the issue persist after the firmware upgrade.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Of course, upgrade did not resolve the issue and the SR# has no solution yet - and the customer is not willing to disable ldap server signing as this would mean to lower security on one end to get more security on the other. Also it looks like this procedure does not resolve the issue in all cases, if i sum up the discussion above. @Amir_Ayalon , any comments ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Can you confirm that this is an issue relevant for GAiA Embedded only ? TAC did not mention that GAiA has the same issue, so if this is only SMB, please move the post to SMB !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

This seems like it's just SMB related.
Probably should have moved this post earlier 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I have news from R&D: The issue also impacts Gaia devices as well. 


We would like to inform you that Windows Server 2025 is currently not officially supported
for Active Directory integration with the gateway. When attempting to connect the gateway
to an AD server running Windows Server 2025, the integration fails during the LDAP bind
phase (simple bind).

Our teams are actively working on delivering a solution for this issue.

However, please note that we do not have an estimated timeline at this stage, so this is
currently considered a limitation.

As a temporary workaround, you may choose to disable LDAP signing, Please be aware that
this is not recommended due to the associated security risks.

Alternatively, we recommend using a supported version such as Windows Server 2022.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Do you have an SR I can review on this?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Not ready yet - but i will PM the SR#.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tom_Hinoue
Advisor
Advisor

I got a different answer regarding the recommended support ver.. in my SR, RnD advised to use Windows Server 2019 and below which is the supported version, not 2022. Hope we get clear answers soon.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Your answer was not so very different - TAC told us to use versions older than Server 2025, on June 16th:

Our teams are actively working on delivering a solution for this issue. 

However, please note that we do not have an estimated timeline at this stage, so this is currently considered a limitation.

As a temporary workaround, you may choose to disable LDAP signing,  Please be aware that this is not recommended due to the associated security risks. 

Alternatively, we recommend using a supported version such as Windows Server 2022.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

Still no SK and no fix available ! @itayravenna , any news yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
itayravenna
Employee
Employee

Hi @G_W_Albrecht Thanks for tagging me.
Our dev team is currently working on a fix.
We don’t have an ETA yet, but I’ve bookmarked this CheckMates thread and will post an update as soon as there’s news.

G_W_Albrecht
Legend Legend
Legend

Is an SK available ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
itayravenna
Employee
Employee

Hi @G_W_Albrecht ,

We didn't publish an SK about it, no.

But we are actively working on fixing the WIN 25 integration

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Two weeks later: Any fix or SK available ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

@itayravenna , any news ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

@itayravenna , @Amir_Ayalon  any news on fixing the WIN 25 server integration? 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
itayravenna
Employee
Employee

Hi @G_W_Albrecht 

We are still working on it.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Still nothing from R&D - no SK, nothing 😞

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

TAC currently is preparing the documentation on the limitation for the Windows 2025 server. First statement was that there is a limitation with Windows server 2025. As a workaround the options available are to either work with older versions, or disable the LDAP signing.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LM-Rafael
Collaborator

Hi everyone,

I was able to resolve the issue by installing the latest Gaia Embedded firmware on the 1600 appliance and configuring Entra ID integration.
Now, users can connect via VPN, and authentication is handled through Microsoft Entra with two-factor authentication.

I'm very happy with this solution.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So the issue is not resolved, it is working now as you changed from DC LDAPS to Entra ID...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
itayravenna
Employee
Employee

@G_W_Albrecht 

Hi Everyone,

We currently have an active workaround in place, but we still need to align on how to publish this appropriately.

Apologies for the inconvenience, and thank you for your patience.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events